1

BRING YOUR OWN DEVICE POLICY (BYOD)

APPROVED BY: DATE

South Gloucestershire Clinical Commissioning Group Quality and

Governance Committee

August

2015

Date of Issue: August 2015 Version No: 7 Review due: August 2017 Author: Thomas Manning, Head of Information and Performance Management

2

Document status: Current

Version

Date

Comments

Draft October 2013 Draft Policy for operational use during test project

Version 1 January 2014 First presentation of full policy to Quality & Governance Committee

Version 2 August 2014 Following feedback from January’s Quality & Governance Committee and Internal Audit on risk assessments and mitigations

Version 3 September 2014 Following recommendations from The Internal audit Report: Bring Your Own Device (BYOD) undertaken by Audit South West

Version 4 September 2014 Following advice from Alex Bunn, Data protection Practitioner, Information Governance Team, South West CSU

Version 5 September 2014

Following advice taken from the Information Commissioner’s Office publication, ‘Data Protection Act 1998, ‘Bring Your Own Device (BYOD)’ http://ico.org.uk/for_organisations/data_protection/topic_guides/online/byod

Version 6 October 2014 Following completion of an Equalities Impact Assessment

Version 7 July 2015 Amendments following Policy Review Group

3

CONTENTS

Section Summary of Section Page

Contents 3

1 Background 4

2 Eligibility 4

3 Devices and Support 5

4 Acceptable Use 5

5 Reimbursement 7

6 Security 7

7 Data Protection 8

8 Risk/Liabilities/Disclaimer 8

9 Equal Opportunities/Equalities Impact Assessment 9

10 Review Date 9

11 Links to other policies

Appendices

Appendix 1 Employee User Agreement 10

Appendix 2 Security Features Applied to Devices 12

Appendix 3 Setting Up Your Device with MobleIron 13

Appendix 4 Device Identification 14

Appendix 5 Consideration and Assessment of Risks 15

Appendix 6 User experience of the pilot 22

Appendix 7 MDM Software database queries 25

4

For the purposes of clarity this document refers to personal data and identifiable data. ‘Personal data’ is defined as data and information held on devices pertinent to the owner and their non-work usage of the device. ‘Identifiable data’ is defined as work-related information held on devices and enabled by the 3rd party mobile device management software. 1. BACKGROUND 1.1. The Clinical Commissioning Group (CCG) recognises that mobile electronic

devices are now an essential tool to some individuals in their everyday work and social environments, and that employees may have personal and specific preferences with regard to the mobile devices they use. This policy aims to specifically cover the use of non-CCG, personal smartphones and tablets and their integration with the CCG Exchange Server to access work-related calendars, contacts and emails.

1.2. This Bring Your Own Device (BYOD) initiative aims to combine simplicity for

individuals and effective, risk assessed security control for the CCGs identifiable data and technology infrastructure. CCG employees must agree to the terms and conditions in this policy in order to be able to use their device to access & process work-related communications.

2. ELIGIBILITY 2.1 All CCG employees, including Clinical Leads, are eligible for authorisation,

provided they are risk assessed, undertake security awareness training and are able to satisfy the terms of access and sign the accompanying user agreement.

Employees with on-call responsibilities will take priority, should there be simultaneous and multiple applications for access, when determining the timescales for set-up.

Contractors are not eligible for authorisation. Contractors are not provided

with CCG email addresses and as such are unable to satisfy the terms of access.

Temporary employees will be managed on a case-by-case basis. By default,

temporary employees issued with a CCG email address will be treated as permanent employees.

Temporary staff who are not covered by an employment contract are required to sign a confidentiality agreement prior to being given access to information processing facilities as per the CCGs ‘Use of Personal Information Policy’.

The Employee User Agreement is at Appendix 1.

5

3. DEVICES AND SUPPORT 3.1. For a personal smartphone and/or tablet device to be considered within this

policy it must be able to ‘encrypt at rest’. This is primarily an operating system/software function and requirement.

3.2 The basic requirements are as follows, (as at September 2014)

Apple devices running iOS6 or later, and specifically; iPhone 4 onwards iPad2 onwards, including the iPad Air and all versions of the

iPad Mini Blackberry Phones Android devices - Due to concerns with security issues around 3rd party

applications devices running all versions of the Android operating system are not permitted

Windows devices – Adequate security conditions on Windows phones is currently unproven and therefore are not permitted.

3.3 Devices that do not support ‘encryption at rest’ are not permitted to access the

CCG IT infrastructure. 3.4 Devices must be presented to the Head of Information and Performance at

the time of submission of the user agreement to validate the information requirements of the agreement.

3.5 Personally owned laptops are not permitted to connect with the CCG

Exchange Server and as such are specifically excluded from this policy. 4 ACCEPTABLE USE 4.1 The CCG defines acceptable business use as activities that directly or

indirectly support the business of NHS South Gloucestershire CCG. The CCG has an ‘Acceptable Use of Information & Communication Technologies Policy’ as an element in the overarching CCG Information Governance Management System The CCG reminds staff annually, and new employees via an ‘Acceptable Use of Information and IT Facilities’ message.

4.2 The CCG recognises that employee use of personal devices for work

purposes occurs inside and outside of traditional ‘office hours’ i.e at evenings and weekends. This policy does not therefore define working hours, however employees are encouraged to ensure they are familiar with the CCG ‘Work Life Balance And Flexible Working Policy’.

4.3 The CCG defines acceptable personal use on company time as reasonable

and limited personal communication or recreation.

6

4.4 Staff should ensure that any personal data use does not put work-related identifiable information at risk. For example, sharing the device with identifiable information on it with others, such as family and friends, or downloading apps which could access such information.

4.5 Corporate identifiable data can only be created, processed, stored and

communicated on personal devices running the CCGs chosen Mobile Device Management (MDM) client software. Devices not running MDM can connect to the CCG guest network providing an internet connection, but will not be granted access to the corporate infrastructure.

4.6 The CCG Information Governance Management System outlines

considerations of acceptable use. Employees must not:

Share personal usernames and/or passwords or leave devices logged in and unattended at any time.

Save or transmit proprietary information belonging to another company that is outside of that company’s intended usage, terms and conditions

Engage in external business activities Cause offence to any individual (including members of staff or the

public) or risk damaging the organisation’s reputation by either creating, accessing, storing or sending/posting any images, files, messages or data that could be said to be abusive, sexist, racist, defamatory, obscene or otherwise offensive or inappropriate or breach confidentiality/privacy of any individual or commercial organisation. This includes personal use of social media outside of work

Use ‘social media’ to communicate on behalf of the organisation unless this is a normal or delegated and accepted part of their role.

Use organisation facilities for advertising/fund raising not directly connected with the organisation, other than the use of any social notice board facilities.

Use data that identifies individuals unless absolutely necessary. 4.7 Employee use of CCG IT infrastructure and access via personally owned

devices is as follows;

Calendars - Access permitted Email - Access permitted Contacts - Access permitted Documents - Access currently not permitted

4.8 Each element permitted above is individually configurable within personal devices. For example, whilst a device may be able to access the services listed above the user may wish to access only one or some of the permissions available to them.

4.9 Employees are not permitted to allow anyone else to access identifiable and

organisationally sensitive information stored on their device. This will be managed as follows:

7

Calendars – Staff will be expected to mark ‘sensitive’ meetings as private in their calendar.

Email – Staff will be expected to ensure others do not access email on their device. (see ‘e-mails’ within the CCG ‘Acceptable Use of Information & Communication Technologies Policy’)

Contacts – Staff will be expected to ensure that others do not access their work related contacts.

Documents – when permitted access to documents will be via a further level of security.

4.10 The CCG has a zero-tolerance policy for texting or emailing while driving

(whatever the device make and model) and only hands-free talking while driving is permitted.

5 REIMBURSEMENT 5.1 The CCG will not reimburse employees for some or all of the cost of personal

devices. Neither will the CCG pay employees an allowance to purchase a device for work purposes.

5.2 Staff should discuss with their line-manager any issues with cost implications

as a result of using their device for business purposes (for example, where it is evident that specific business calls made have led to an employee call plan being exceeded).

5.3 South Gloucestershire CCG will not cover any damage to personal devices. It

is recommended that device owners insure their device as part of their home contents insurance and, if necessary, advise their insurer that the device will be used for work purposes at home and at work locations.

6 SECURITY 6.1 Employees wishing to use their personal devices as per this policy will be

required to download to their device an approved Third Party App (currently MobileIron). http://www.mobileiron.com/en/solutions/mobile-device-management This application enables the organisations IT provider to manage the CCG infrastructure and enable certain security features on the device.

6.2 The security features enabled aim to ensure that;

The CCG meets it’s legal requirements for Information Governance and associated risk assessment.

The Employee meets the expected standards of security as an employee.

The Employee is able to use their device in a personal capacity with as little disruption as is possible.

8

6.3 The user agreement requires employees to log the device model and serial number and log the phone number where applicable.

6.4 In order to prevent unauthorized access, devices must be passcode protected

using the features of the device. The device must also lock itself with a password or PIN if idle for five minutes.

6.5 ‘Jailbroken’ Apple devices are strictly forbidden from accessing the CCG

infrastructure. 6.6 The employee’s device must be enabled with the ‘Find my iPhone’ App for

Apple devices (and similar software for other operating systems where appropriate) in order that personal data may be remotely wiped by the user. Identifiable data may also be remotely wiped by the CCGs IT Provider using the Third Party Security Software if;

the device is lost

the employee terminates his or her employment

IT detects a data or policy breach, a virus or similar threat to the security of the company’s identifiable data and technology infrastructure.

Security features and settings within the third party software can be found at Appendix 2.

7 DATA PROTECTION

7.1 Personal data provided by device owners in the sign-up to this policy will only

be used by the CCG for the purposes of device registration and management. 7.2 The CCG, its contracted IT Provider and the MDM Software will not pass on

or share personal data internally. 7.3 The CCG, its contracted IT Provider and the MDM Software will not pass on

or share personal data to any other party or organisation. 7.4 The CCGs current IT provider is South, Central and West Commissioning

Support Unit and the current preferred MDM software tool is MobileIron. 8 RISKS/LIABILITIES/DISCLAIMERS 8.1 The CCG and the CCG contracted IT support provider reserves the right to

disconnect devices or disable services without notification. 8.2 Lost or stolen devices must be reported to the CCG IT Provider IT Service

Desk promptly and within 24 hours via email at ITServiceDesk@swcsu.nhs.uk or by phone on 0845 051 4646. Employees are also responsible for notifying their mobile data carrier immediately upon loss of a device.

9

8.3 The employee is expected to use his or her device(s) in adherence to the

CCG’s acceptable use policy as indicated in Section 4 above. 8.4 The employee is personally liable for all costs associated with his or her

device as per the paragraph on reimbursement above. 8.5 The CCG cannot be held accountable for any risks to an owners personal

data, including but not limited to, the partial or complete loss of personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable, unless the Mobile Device Management solution can be proven to be responsible.

8.6 The CCG reserves the right to take appropriate disciplinary action up to and

including termination of contract for noncompliance with this policy.

9 EQUAL OPPORTUNITIES/EQUALITIES IMPACT ASSESSMENT 9.1 An Equality Impact Assessment has been completed for this policy and

procedure and it does not marginalise or discriminate against minority groups.

10 REVIEW DATE 10.1 This policy and procedure will be reviewed every 2 years, or earlier at the

request of either staff or management side, or in light of any changes to legislation or National Guidance.

11 LINKS TO OTHER POLICIES 11.1 In addition to this policy, this policy should be read in conjunction with the

following CCG Policies:-

The CCG Information Governance Management System specifically:

Use of Personal Information Policy

Acceptable Use of Information & Communication Technologies Policy

Work Life Balance and Flexible Working Policy

Policy and Procedure For Incident Reporting

HR policies, developed in conjunction with the North Bristol Trust and other documentation. These include Equality and Diversity in the workplace, Employee Contract of Employment, IT Policy

10

APPENDIX 1

BRING YOUR OWN DEVICE (BYOD) - EMPLOYEE USER AGREEMENT

By completing and signing this user agreement

……………………………………………………………………....(print name) agrees to adhere

to the policy as is in place at the time of signing…………………………………………….(date)

Make and Model of personal device;

Phone Manufacturer Apple Model iPhone ………………….

Serial Number……………………………………Phone Number…(+44) …………………………

Software Version………………………………..

Tablet

Manufacturer Apple Model iPad ………………………

Serial Number…………………………………….Software

Version…………………………………

I confirm that this device is passcode protected

I confirm that this device has not been ‘Jailbroken’

I confirm that this device is set to lock itself with a password or PIN if idle for five minutes

I confirm that the operating system on this device is up to date and will be maintained

User Signature……………………………………………………..Date……………….................

11

Privacy Notice

The personal data provided above will only be used for the purposes of device registration and

management.

South Gloucestershire CCG, its contracted IT Provider and the MDM Software will not pass on or

share personal data internally.

South Gloucestershire CCG, its contracted IT Provider and the MDM Software will not pass on or

share personal data to any other party or organisation.

South Gloucestershire CCGs current IT provider is South, Central and West Commissioning Support

Unit and the preferred MDM software tool is MobileIron.

User Acknowledgement

The CCG and the CCG contracted IT support provider reserves the right to disconnect devices or

disable services without notification.

Lost or stolen devices must be reported to the CCG IT Provider IT Service Desk promptly and within

24 hours via email at ITServiceDesk@swcsu.nhs.uk or by phone on 0845 051 4646.

Employees are also responsible for notifying their mobile data carrier immediately upon loss of a

device.

The employee is expected to use his or her device(s) in adherence to the CCG’s acceptable use policy

as indicated in Section 4 above.

The employee is personally liable for all costs associated with his or her device as per the paragraph

on reimbursement above.

The CCG cannot be held accountable for any risks to an owners personal data, including but not

limited to, the partial or complete loss of personal data due to an operating system crash, errors,

bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render

the device unusable, unless the Mobile Device Management solution can be proven to be responsible.

The CCG reserves the right to take appropriate disciplinary action up to and including termination of

contract for noncompliance with this policy.

For CCG Use only:

All details provided above are correct at the time of

Signing………………………………..(date)

Signed for the CCG………………………………………………………………………

Position……………………………………………………………………………………

SIRO…………………………………………………………………

The original of this agreement will be held by the CCCG Chief Financial Officer who is the statutory Senior Information Risk Officer (SIRO)

A copy of this agreement will be held by the employee, the CCG SIRO and the CCG IT Support Provider

12

APPENDIX 2

SECURITY SETTINGS OF THE MOBILE DEVICE MANAGEMENT SOFTWARE AS APPLIED TO DEVICES

The table below lists the security parameters as installed by the Third Party Security Software (currently MobileIron). Individual device security options may also be applicable under the corporate policy which go further than the table below.

Security Element Parameter in MobileIron

What this means?

Password Mandatory Device must have a passcode/password screen lock

Password Type Simple Alphanumeric as a minimum

Maximum Inactivity Timeout 5 minutes Device to be set to sleep 5 minutes after last touchscreen keystroke

Minimum Password Length 4 Four digit passcodes allowable – no maximum

Minimum Number of Complex Characters

0 Does not require non-alphanumeric characters

Maximum Passcode Age 40 days User will be prompted after 40 days to change screen lock code

Maximum Number of Failed Attempts

10 Device will be locked out and require IT unlock after 10 unsuccessful attempts

Password History 5 No repeat passcode/password for 200 days (5x40 days)

Secure Apps Only Enabled Checks and disables ‘Jailbroken’ devices

Smartphone Encrytion Enabled Checks for ‘encryption at rest’

Take Action if iOS is less than 5.0 Disables devices with old operating systems (pre-2012)

Take Action if iOS Data Protection is not enabled

Enabled Prompts user to apply encryption

Take Action if iOS is compromised

Enabled Prompts user to wipe device

Take Action if MobileIron is deactivated

Enabled Prompts user to reactivate and notifies CCG IT Support

It is possible to remove corporate data from a personally owned devices using MobileIron. MobileIron sends a profile to the device with a certificate. Corporate documents/data and apps, and email address ie ccg.nhs/uk are managed by Mobile Iron and associated with certificates. When the certificates are removed remotely by Mobile Iron the apps/data/documents and email data associated with the email address are removed and the data is no longer accessible. Private email accounts are not affected. Mobile Iron can “retire” devices wiping only the corporate data from the device and leaving personal data/apps untouched. Mobile Iron only controls the data which it has placed on the device and this is managed by certificates.

13

APPENDIX 3

SETTING UP YOUR DEVICE WITH MOBILEIRON

Setup MobileIron on iOS (iPhone/iPad) If you haven’t already installed the MobileIron App: Go to the App Store on your device and install ‘MobileIron Mobile@Work’. Once downloaded, open the App and enter the following information at the relevant prompts.

User Name: firstname.lastname (as per staff login to desktop computer)

Server: ahavsp.somerset.nhs.uk

Password: your domain (Windows) login password.

Follow ‘on screen prompts’: o Important: When prompted, allow MobileIron to use Location Services. o ‘Ok’ to download configuration. o ‘Install’ AIMTC profile. o ‘Install Now’ o At prompt, enter your device passcode (if you have already set one up). o ‘Done’ o ‘Install’ when you see a certificate warning. o ‘Done

Return to home screen. o You may have to wait up to 5 minutes whilst the policies and settings

(including mail) download to your device.

14

APPENDIX 4

SUPPORTED DEVICE IDENTIFICATION

4/4S 5

5c 5S

6 6Plus

15

APPENDIX 5 CONSIDERATION AND ASSESSMENT OF RISKS

The CCG recognises that mobile electronic devices are now an essential tool to some individuals in their everyday work and social environments, and that employees may have personal and specific preferences with regard to the mobile devices they use. However, in trying to strike a balance between the use of personal devices for the functions which they were bought for, in conjunction with corporate accesses to calendars, emails and documents, the CCG needs to risk assess and mitigate for the potential and real security issues that this policy might highlight. Bring Your Own Device (BYOD) policies are a recent development in IT infrastructure enablers for employees and there are few if any NHS policies available for comparison. It should therefore be noted that this policy, its risk assessment and the mitigation actions and decisions are not final and will undoubtedly be subject to both ad hoc and routine review and amendment. The Data Protection Act 1998 (the DPA) is based around eight principles of ‘good information handling’. These give people specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it. The seventh principle says: appropriate technical and organisational measures shall be taken against accidental loss or destruction of, or damage to, personal data. This means the CCG must have appropriate security in place to prevent the identifiable data held from being accidently or deliberately compromised. This is relevant if identifiable data is being processed on devices which the CCG may not have direct control over. It is important to remember therefore that the CCG, as data controller, must remain in control of the identifiable data for which it is responsible, regardless of the ownership of the device used to carry out the processing. The Information Commissioner’s Office advises that organisations consider and assess the following risks;

what type of data is held;

where data may be stored;

how it is transferred;

potential for data leakage;

blurring of personal and business use;

the device’s security capacities;

what to do if the person who owns the device leaves their employment; and

how to deal with the loss, theft, failure and support of a device. Each of the above considerations is evaluated in the ‘Risk Assessment’ section below.

16

RISK ASSESSMENT What type of data is held? There are two elements of data that can be determined after consideration and the Information Commissioner’s Office also advises that ‘BYOD’ must not introduce vulnerabilities into existing secure environments. For the purposes of this assessment ‘personal data’ is defined as data and information held on devices pertinent to the owner and their non-work usage of the device, and, ‘identifiable data’ is defined as work-related information held on devices and enabled by the 3rd party mobile device management software. Personal Data - Users are requested to submit a small number of personal data items upon registration. This data is used for the following purposes;

Name – to identify the user Device manufacturer and model – to identify the device and ensure compatibility Device software version – to ensure compatibility Device serial number – to enable linkage to mobile device management software and allow data flows

Each of the above data items are essential for the registration of individual devices. Employees are under no obligation to register for BYOD access and a privacy notice is included with the registration form. There is no added vulnerability to organisational infrastructures in the provision or handling of this data. Identifiable Data – Employees electing to register for BYOD access are only able to synchronize their emails, calendar and contacts from the organisational Microsoft Exchange Server to the native mail, calendar and contacts apps on their device. Access is only available through the installation of approved Mobile Device Management (MDM) software. Without this MDM security feature each of these elements is already available to mobile device users via the Microsoft Outlook Web Access webpage that requires simple username/password entry to a web page. The MDM software therefore enhances security beyond website access and mitigates any vulnerabilities contained therein.

17

Where is data stored? Personal Data – Users personal data is stored as per the users own configurations as chosen on the device. This could be on the device or in a private/community/public cloud. Identifiable Data – The MDM software limits the storing of identifiable data to the organisations IT network, iCloud and the device for one month’s worth of emails in users the inbox, drafts, sent items and deleted items only. No networked personal email file storage is permitted. As the data controller, the CCG has therefore taken appropriate and reasonable measures to ensure data security in the event of device failure, loss or theft. How is data transferred? Corporate identifiable data involves the transfer of email, calendar and contact data between the device and the CCG exchange server infrastructure. Whilst this element of the corporate infrastructure may be the target of malicious attack (hacking), any activity in this area would be most likely network based and unlikely to concentrate on one or several mobile devices as the point of entry. The MDM software forces data traffic through an encrypted channel using a Virtual Private Network (VPN). The Information Commissioner’s Office considers this step to be one of the most important in evidencing that an organisation has taken appropriate and reasonable measures of data security. Another method of possible data transfer is through the use, and potentially misuse, loss or theft of removable media, such as memory cards. In specifying that only Apple devices are enabled, this risk is completely mitigated as there is no removable storage capability built into iPhones or iPads. What potential is there for data leakage? The primary potential for data leakage lies with human error and the possibility of emailing and forwarding emails to inaccurate email addresses. However, the potential is not considered to be higher than similar human error whilst communicating via email from non-mobile devices (ie. CCG desktop PC). Users are reminded of the available guidance in the CCGs, Acceptable Use of Information & Communication Technologies Policy and this is reinforced in the BYOD staff training. iCloud is another potential area for data leakage and back-up to iCloud is currently enabled, and could if deemed necessary be disabled. However, at this time, users of the BYOD policy are not recipients of patient-level identifiable data, a prerequisite of sign-up.

18

Where are the Personal/Work Boundaries? There is no human monitoring of personal usage. The MDM software monitors and manages access to approved applications, but the in-app activities of individual users are not monitored as the organisation deems this to be an invasion of personal privacy. That said, staff are reminded of their corporate responsibilities as per the policies named on page 2 of this document. How capable is the device security? Apple devices employ ‘encryption at rest’ as default. This means that data stored on the device is encrypted against malicious attack, even if retrieved illegally. MDM software further encrypts data during transmission and identifiable data, belonging to the CCG can be remotely erased by the CCGs IT Provider upon notification of failure, loss or theft. The MDM software is further configured to force users to use a keypad security access code upon waking their device, and apply a mandatory, maximum time-out duration of 5 minutes. Further, staff are required to;

Enable the ‘Find my iPhone’ app to their device to locate their device should it be lost or stolen.

Ensure operating systems are up to date, and

Confirm that the device has not been ‘jailbroken’, that is that the device has not been locally hacked to allow unrestricted access to technical configurations within the device.

Limiting the choice of connectable devices is a step that the Information Commissioner’s Office considers to be one of the most important in evidencing that an organisation has taken appropriate and reasonable measures of data security. How are settings managed when employees leave or are dismissed? The CCG has an HR process that ensures the closure of individual email accounts when an employee leaves the organisation, for whatever reason. An element of the ‘leavers’ checklist is to determine whether the individual is registered with the MDM software. Where this is established the IT Provider remotely removes all accesses and data through the MDM software functionality. The individual is then responsible for the removal of the MDM application from their device. Access to identifiable data cannot occur in instances where the user fails to remove the application from the device. What happens in the event of loss, theft or failure of the device? Users are required to report loss, theft or failure of devices promptly, and within 24 hours via email or by telephone to the CCGs IT Service Provider. Identifiable data, as described in this documentation can then be remotely wiped using the MDM software.

19

Users are also able to choose whether to wipe personal data using the ‘Find My iPhone’ app, its download being a prerequisite of sign-up. How is the device supported? The CCG only supports the users device in terms of the access provided through the MDM software. Users have a responsibility to notify the data controller in instances where devices are returned to manufacturers under warranty or sold in order that the identifiable data may be remotely wiped. The MDM software also has location finding functionality which is able to determine if the device is in a ‘usual’ location. Users are also supported via staff training and a quick reference usage guide. Summary of Assessment The Information Commissioner’s Office also advises that ‘BYOD must not introduce vulnerabilities into existing secure environments.’ The MDM software separates personal data from identifiable data and enhances security beyond widely accessible website access to Outlook thereby mitigating the vulnerabilities of email via web access. Data storage is enabled to allow personal back-ups to continue and limits identifiable data storage to one month’s emails in selected Outlook folders. The MDM software forces data traffic through an encrypted channel using a Virtual Private Network (VPN). The Information Commissioner’s Office considers this step to be one of the most important in evidencing that an organisation has taken appropriate and reasonable measures of data security. The potential for data loss via email is not considered to be any higher than when using non-mobile devices such as desktop computers. Device security is paramount for both personal data and identifiable data. The configurations of MDM software and the inherent security of Apple devices ensure integrity as far as is considered appropriate and reasonable. The CCG has an HR process that ensures the closure of individual email accounts when an employee leaves the organisation, for whatever reason. Users are required to report the loss, theft or failure of devices in order that identifiable data may be remotely wiped. Users are also able to wipe personal data using ‘Find my iPhone’. User support from the CCG is provided by the MDM software and managed by the CCG IT provider.

20

Users are also supported via staff training and a quick reference usage guide. Scoring Risks & Risk Assessment Matrix Risks are scored using the matrix below. The level of consequence is decided which gives a sum between 1 (insignificant) and 5 (fatal); the probability of the risk happening is then decided which gives a sum between 1(remote) and 5 (certain). Multiplying the two sums together will give the risk score, e.g. Consequence (major) x probability (possible) would be 3 x 3 = risk score of 9. The risk scores are given on the matrix below. Risk scores at 15 and above are included in this register.

Pro

bab

ilit

y o

f E

ven

t (P

) 5x Certain

5 10

Act Soon 15

Act Now 20

Act Now 25

Stop

4x Probable

4 8

Act Soon 12

Act Soon 16

Act Now 20

Act Now

3x Possible

3 6 9

Act Soon 12

Act Soon 15

Act Now

2x Improbable

2 4 6 8

Act Soon 10

Act Soon

1x Remote

1 2 3 4 5

1x Insignifica

nt

2x Minor

3x Major

4x Severe

5x Fatal

Consequence/Severity of Event (C)

21

Risk Assessment Ratings

Risk Ref.

Description of Risk

Initial Risk

Rating PxC

Mitigating Actions Mitigated

Risk Score

Mitigated RAG

Rating

1

Storage of ‘identifiable data’ outside of approved locations

3x3=9 Implementation of MDM software to individual devices

2x3=6

2

Transfer of ‘identifiable data’ from CCG network

4x3=12 MDM software configured to disable network folder access

1x3=3

3 Potential for ‘identifiable data’ leakage

3x4=12

Staff training/CCG Policies re: email usage to avoid incidents of ‘human error’ however no greater perceived potential than users working from non-mobile devices

2x4=8

4 Device security 4x4=16

Implementation of MDM software to individual devices Requirement to enable the ‘Find my iPhone’ app to devices should it be lost or stolen. Requirement to ensure operating systems are up to date, and confirmation that devices are not ‘jailbroken’ Limiting the choice of connectable devices as per the Information Commissioner’s Office consideration that this step is one of the most important in evidencing that an organisation has taken appropriate and reasonable measures of data security.

2x3=6

5

CCG Staff member leaves the organisation taking ‘identifiable data’ with them

3x3=9 HR processes close down email accounts and remove the MDM software

1x3=3

6 Loss, Theft or Failure of Device

3x4=12

User requirement to report loss, theft or failure. MDM software configured to erase ‘identifiable data’ upon notification.

3x2=6

22

APPENDIX 6

User Experience of the Pilot From mid-August 2013 the CCG has piloted the implementation of MobileIron on personal devices for ten (9) users and eleven (11) devices. Two users piloted both phone and tablet devices. The pilot was limited to users with Apple devices as together with SWCSU, as the IT Provider, these were considered to be the most identifiable and robust devices to test. The spread of devices was as follows;

Device Type/Model

Number of Users

iPhone 3S One

iPhone 4 One

iPhone 4S Four

iPhone 5 One

iPhone 5S One

iPad 2 One

iPad 4 One

iPad Mini One

Over the twelve months of the pilot there have been no reported incidents of security software interference with users and no reported incidents of data loss, device loss or potential security breaches. During the course of the pilot the proprietary operating system software was internationally updated twice. Whilst this worked without incident for iPad users, iPhone users reported twice daily text alerts (at various times of the day) of a reported ‘passcode non-compliance’. Whilst this has not affected device usage it has proved to be an annoyance and is likely to be resolved only when the final stable release of iOS7 is available AND MobileIron has implemented its update to match. (This occurred in January 2014)

23

Risk Assessment The table below compares national guidance concerning nhs.net access with guidance from the Information Governance Team at the Commissioning Support unit and the settings in MobileIron and the CCG.

Parameter National

Guidance1 (nhs.net)

ISO27000 Security Standard

MobileIron Setting

Current CCG Device

Setting

Recommended CCG Device

Setting

Password Required Required Required Required Required

Password Type Complex Complex - unless risk assessed

Simple Simple Simple

Maximum Inactivity Timeout

20 minutes 10 minutes 30 minutes 5 minutes 5 minutes

Minimum Password Length

8 characters (for nhs.net

access) 6 characters

4 characters

4 characters 4 characters

Minimum Number of Complex Characters

A least one from 3 of 4 categories

-Uppercase -Lowercase -Numeric

-Non-Numeric

Alpha-Numeric

Disabled

Disabled but allowable at

user discretion

Disabled but allowable at

user discretion

Maximum Number of Failed Attempts

8 3 10 10 5

Maximum Passcode Age

90 days 90 days 40 days 40 days 90 days

Password History 4 4 – based on

age above 5 5 4

Email Synchronisation

1 month Not Limited Not limited Not limited 1 month

Encryption at Rest

n/a Enabled Enabled Enabled Enabled

Key:

CCG Parameter meets or exceeds risk-based standard

CCG Parameter does not meet risk-based standard

One of the main priorities in the implementation of this policy has been to ensure, wherever possible, that the user is able to use the device in the manner to which they are accustomed without any apparent interference from the installation of MobileIron profiles. As such, the password type, minimum password length and complexity level of passcodes has been made mandatory but left at the discretion of the user.

One of the main priorities in the implementation of this policy has been to ensure, wherever possible, that the user is able to use the device in the manner to which they are accustomed without any apparent interference from the installation of

1 ‘Password Policy for Non-Spine Connected Applications, Good Practice Guideline’, Connecting for Health,

2010 accessed via http://systems.hscic.gov.uk/infogov/security/infrasec/gpg/index_html on 30/10/2013

24

MobileIron profiles. As such, the password type, minimum password length and complexity level of passcodes has been made mandatory but left at the discretion of the user. In using this basic principle the proposed mitigations to any perceived or real lack of security is to;

Considerably reduce the inactivity timeout from 20 minutes to 5 minutes

Increase the frequency of enforced passcode changes from 90 days to 40 days (from 4 to 9 times a year)

Ensure only devices able to provide ‘encryption at rest’ are permitted access. Recommendations The recommendations for further adjustments to increase security are to;

Reduce the maximum number of failed attempts from 10 attempts to 5 attempts, with a view to reducing further to 3 attempts after a six-month review of implementation

Amend the passcode history and maximum age parameters to meet national guidance. National guidance suggests a 90 day passcode age with no repeat for four passcodes. This equals 360 days between passcodes. Current MobileIron implementation is 200 days (40 day passcode with 5 histories).

Set devices to only synchronise email for one month. Note: No network or personal email folders are made available through access to email.

25

APPENDIX 7 MDM SOFTWARE DATABASE QUERIES

26

27

28